In recent years, malware of a type called “Ransomware” has become popular worldwide.
Ransomware infects computer terminals via the Internet or e-mail as well as other common malware.
Once Ransomware infects the terminal, Ransomware encrypts (or lock) a part of the files or the entire thereof on the terminal in order to preclude the use of the file or the use of the terminal itself, and requests to pay Ransom. Ransomware is a threatening type of malware that requests money in return for restoring encrypted files.
In the case of Ransomware, file encryption is started immediately upon infection. Therefore, if Ransomware is a specimen unknown to the security software, normal detection such as detection by a pattern file cannot be made in time and it is difficult to prevent file encryption by Ransomware. Even if we notice early detection of infection by Ransomware and immediately take measures such as turning off the terminal, some files will be encrypted by Ransomware and it is very difficult to completely stop the damage by Ransomware.
A method for detecting Ransomware, the method for detecting Ransomware described below is well known. In which, a current user behavior pattern is monitored based on user input via a user input device. The user behavior is compared against a reference set of behavior patterns associated with user frustration with non-responsiveness of the user interface module. A current status pattern of the operating system is also monitored. The current status pattern is compared against a reference set of operating system status patterns associated with predefined ransomware behavior. In response to indicia of current user frustration with non-responsiveness of the user interface, and further in response to indicia of the current status pattern having a correlation to the predefined ransomware behavior, an indication of a positive detection of ransomware executing on the computer system is provided (see Patent Reference 1).